|
fishmech posted:so is the windows defender thing meant to be the same as this yes, that's it. the project zero bug for it is public now as was linked upthread. the cumulative updates for windows 10 RTM, 1511, and 1607 have not been published so far today while the 1703 one has so there must be something else up that's causing a delay.
|
# ? May 9, 2017 18:34 |
|
|
# ? May 10, 2024 09:12 |
|
haveblue posted:it can be triggered by automated inbound data like email bodies, IMs, etc I was thinking that made it a bit of a reach on servers, but I guess Exchange does exist and has the option of automatic AV scanning. I think it was slightly oversold between wormable and default install... Because things like that have happened before to fully patched systems, granted not in ~15 years.
|
# ? May 9, 2017 18:55 |
|
Number19 posted:yes, that's it. the project zero bug for it is public now as was linked upthread. this morning I had a patched version of the windows defender runtime already
|
# ? May 9, 2017 19:12 |
|
akadajet posted:this morning I had a patched version of the windows defender runtime already yes, the defender update is out. the regular patch tuesday updates for windows 10 RTM, 1511, and 1607 haven't hit my WSUS yet even though 1703 has
|
# ? May 9, 2017 19:16 |
|
James Baud posted:I was thinking that made it a bit of a reach on servers, but I guess Exchange does exist and has the option of automatic AV scanning. if you arent exempting exchange dirs from AV you're gonna have a bad time https://gallery.technet.microsoft.com/office/Generate-Antivirus-f1a9a59e theres a powershell script to do it for you by an MVP
|
# ? May 9, 2017 19:28 |
|
i mean one of the money quotes from the report is literally:quote:Extra care should be taken sharing this report with other Windows users via Exchange, or web services based on IIS, and so on.
|
# ? May 9, 2017 19:48 |
|
haveblue posted:corporate IT forced me to install an awful AV package that greatly increased build times, so I broke it by messing around in terminal and they got tired of trying to unbreak it yeah I had a pretty identical situation recently. it peaked for me when I got a very polite email from IT asking why their management software asking if there was a problem with my machine, because Sophos was stuck trying to install itself infinitely 😅
|
# ? May 9, 2017 19:51 |
https://www.invincea.com/datasheets/invincea-machine-learning ehhhh
|
|
# ? May 9, 2017 22:13 |
catching up on news. i guess im the 900 grand fbi paid to buy an ios 0day from israelis
|
|
# ? May 9, 2017 22:17 |
|
|
# ? May 10, 2017 00:58 |
|
nice!
|
# ? May 10, 2017 01:52 |
|
https://twitter.com/_lennart/status/861714732709031936 something something raw lightsockets
|
# ? May 10, 2017 02:07 |
|
hasn't he ever heard of onion bulbs
|
# ? May 10, 2017 02:18 |
|
ntp tho?
|
# ? May 10, 2017 02:29 |
|
YO MAMA HEAD posted:hasn't he ever heard of onion bulbs
|
# ? May 10, 2017 02:43 |
|
also: https://security.stackexchange.com/questions/158802/how-can-this-executable-have-an-avi-extension unicode
|
# ? May 10, 2017 02:43 |
|
YO MAMA HEAD posted:hasn't he ever heard of onion bulbs Nice!
|
# ? May 10, 2017 02:45 |
|
YO MAMA HEAD posted:hasn't he ever heard of onion bulbs
|
# ? May 10, 2017 03:02 |
|
flakeloaf posted:https://twitter.com/_lennart/status/861714732709031936 loving lol. this is a great future we're building here
|
# ? May 10, 2017 03:06 |
|
redleader posted:loving lol. this is a great future we're building here
|
# ? May 10, 2017 03:15 |
|
flakeloaf posted:https://twitter.com/_lennart/status/861714732709031936
|
# ? May 10, 2017 03:15 |
|
Meat Beat Agent posted:also: https://security.stackexchange.com/questions/158802/how-can-this-executable-have-an-avi-extension Holy poo poo that's fiendishly clever.
|
# ? May 10, 2017 03:19 |
|
on the other hand this tweet is far more interesting https://twitter.com/aikii/status/862008738659659783
|
# ? May 10, 2017 03:20 |
|
anthonypants posted:no one's going to post the reply he makes to his own tweet where he goes "oh that's the ntp server i set up on my modem which is using openwrt. that's the openwrt ntp servers." are they
|
# ? May 10, 2017 03:21 |
|
Meat Beat Agent posted:also: https://security.stackexchange.com/questions/158802/how-can-this-executable-have-an-avi-extension
|
# ? May 10, 2017 03:56 |
|
anthonypants posted:on the other hand this tweet is far more interesting https://twitter.com/aikii/status/862008738659659783 im Female-Young adult, Attention time: 219
|
# ? May 10, 2017 04:16 |
|
Meat Beat Agent posted:also: https://security.stackexchange.com/questions/158802/how-can-this-executable-have-an-avi-extension Glad I'm back in 1995, regularly downloading porn_movie.avi.exe.com.swf again.
|
# ? May 10, 2017 04:45 |
|
Meat Beat Agent posted:also: https://security.stackexchange.com/questions/158802/how-can-this-executable-have-an-avi-extension oh that's real cute
|
# ? May 10, 2017 04:57 |
|
ate poo poo on live tv posted:Glad I'm back in 1995, regularly downloading porn_movie.avi.exe.com.swf again.
|
# ? May 10, 2017 05:04 |
|
Does anyone know the process to get AV companies to care about some malware? Doing IR for this hopeless company that got hosed by a certain nation state, they had like four different implants, only one of which is being detected by like 6 on virustotal. The rest are totally not detected, but these binaries are not even obfuscated. Lots of strings and debug strings. That one is a Remexi implant, Symantec did a writeup on Remexi, wrote a report with YARA signatures. Symantec endpoint protection, installed on all of their hosts, failed to detect it. Like one of these hits Google Drive and calls createprocess after downloading whatever new poo poo. How is there not a heuristic "Internet connectivity, and then this process spawned cmd.exe as a child"! AV is loving worthless. But there's got to be some way to get Symantec to trigger on these samples at least, right?
|
# ? May 10, 2017 13:45 |
|
ate poo poo on live tv posted:Glad I'm back in 1995, regularly downloading porn_movie.avi.exe.com.swf again. i think u mean porn_movie.avi.exe.com.nsfw
|
# ? May 10, 2017 13:48 |
|
Daman posted:Does anyone know the process to get AV companies to care about some malware? Doing IR for this hopeless company that got hosed by a certain nation state, they had like four different implants, only one of which is being detected by like 6 on virustotal. The rest are totally not detected, but these binaries are not even obfuscated. Lots of strings and debug strings. That one is a Remexi implant, Symantec did a writeup on Remexi, wrote a report with YARA signatures. Symantec endpoint protection, installed on all of their hosts, failed to detect it. AV vendors all share samples and have VT feeds, so if you submit it at VT it will get picked up.
|
# ? May 10, 2017 13:48 |
|
I would think Symantec probably takes ages to detect new stuff from feeds, there's gotta be some high priority channel...
|
# ? May 10, 2017 13:54 |
|
Daman posted:I would think Symantec probably takes ages to detect new stuff from feeds, there's gotta be some high priority channel...
|
# ? May 10, 2017 14:12 |
|
hmmm. our hr system will generate you a pdf of your pay and the filename just appears to be [your id]_filename_[some number].pdf which is passed as a get request from the browser. it prompts for logon but what is the betting that a)once logged on it does not check if the logged on user has access to that doc so you can traverse the file names and b) i will get fired if i try to test this out
|
# ? May 10, 2017 17:42 |
|
Powerful Two-Hander posted:i will get fired if i try to test this out well, we all know the motto of the secfuck thread: "just touch the poop. really get in there and squeeze until it oozes through the gaps between your fingers"
|
# ? May 10, 2017 17:49 |
|
Powerful Two-Hander posted:hmmm. our hr system will generate you a pdf of your pay and the filename just appears to be [your id]_filename_[some number].pdf which is passed as a get request from the browser. What if you try it out with a figure whos salary is public facing, then bring it to HR as a security issue
|
# ? May 10, 2017 17:52 |
funny Star Wars parody posted:What if you try it out with a figure whos salary is public facing, then bring it to HR as a security issue
|
|
# ? May 10, 2017 17:53 |
|
cinci zoo sniper posted:you can still get perfectly hosed Oh yeah for sure, i'm just trying to give him a stick to poke at it
|
# ? May 10, 2017 17:53 |
|
|
# ? May 10, 2024 09:12 |
funny Star Wars parody posted:Oh yeah for sure, i'm just trying to give him a stick to poke at it
|
|
# ? May 10, 2017 17:55 |